All Apps and Add-ons

ServiceNow Incident Integration: How to create/update incident using alert


I am using ServiceNow Incident Integration add-on to create/update incidents in ServiceNow. I have two alerts that runs on certain search conditions, alert_create_incident to create a new incident and alert_update_incident to close the incident. I am using the Correlation ID field for this and is working fine. Now the issue is with the Correlation ID set and the alert_create_incident runs next, it does not create a new incident but updates the previously closed incident state to new. I thought of running a script as alert action but end up with same situation: to set a dynamic correlation id for both the alerts.

Is there a way to generate the Correlation ID dynamically for each pair of create and update alerts. Any help/suggestions would be appreciated. Thanks

0 Karma

Splunk Employee
Splunk Employee


ServiceNow add-on searches the incident based on its Correlation ID. Hence, the issue you are facing (re-opening the same incident) might be caused because you used a static correlation ID which refers to the same incident every time.

In order to create a new incident every time, you should use some unique field from your event in the Correlation ID. This will allow the ServiceNow add-on to create a new incident and prevent re-opening your closed incident

Hope this helps

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...